This message was deleted.
# general
s
This message was deleted.
b
you can use an encrypted pulumi secret
our approach is use pulumi.random to generate the password, and put it in a keyvault
also you might want to use an azure ad group instead of a single user as the admin
so that you can add yourslef to it and log in for troubleshooting
g
ok thanks, I also thought about AD it, but in my case it look as too big overhead. What do you mean by
encrypted pulumi secret
is there any api to add entries to Pulumi.stack.yaml? or generating passwords outside of pulumi and pass to it on
pulumi up
with --secret?
b
yeah you can do pulumi config to set a secret
and it will make an entry you can retrieve as normal
but it will be encrypted in the yaml
g
sorry, you mean to do it with
pulumi config set
command right?
b
yeah
g
ah ok thanks
b
iirc its --secret
g
👍
b
If you want to ceate the secret programmatically, you can use the
pulumi.secret(v)
function and it'll be encrypted in the state file, just like the CLI does. This combines nicely with what Oliver suggested, eg generating it with the random package.
g
yes, right. it looks like simplest option, thanks